If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Social Engineering Paper

Hey, I go to the University of Advancing Technology for network security. I just got finished the first draft of a short paper on the basics of social engineering. Wanted to get some input on it from you guys, so any help would be greatly appreciated. Thanks!

An Introduction to Social Engineering
By:
Ryan Wetenhall

What is Social Engineering? Why is it important? How can I protect myself against possible attacks? Everyone should be concerned about social-engineering. In this paper these issues will all be explained. After reading this paper you should grasp a basic understand of how social engineering can be devastating in the business world. Note that this information is intended for ethical use and prevention of such attacks. This information is not intended for malicious use of any kind.

Social Engineers take advantage of the weakest link in any organization’s information-security defenses: the employees. Social Engineering is the art of manipulating the trusting nature of human beings to be used for personal gain. Let’s face it; it is human nature to want to be trusting of people. Unfortunately, some people like to benefit from others’ weaknesses.
Typically, hackers will pose as someone else to gain information and access that he or she is not supposed to have access to. Once a hacker has access to a network, he or she can physically cause havoc to network resources, steal or delete files, and even commit industrial espionage against the company he or she is attacking.

The social engineer may pose as false support personnel, where he or she will claim that they need to update system software or talk a user into downloading new software, and then obtain remote control of the system. Others will ask for the administrator password and obtain full access to the system. Many administrators and users are paranoid when it comes to get virtually manipulated online such as clicking ad links and opening suspicious emails; but too many are still skeptics when it comes to person-to-person security.

Here’s an example taken from the book “Spies Among US” where world-renowned social-engineer Ira Winkler is paid by a corporation to social engineer his way into their company headquarters.

“They first scoped out the main entrance of the client’s building and found that the reception/security desk was in the middle of a large lobby and was staffed by a receptionist. The next day, the two men walked into the building during the morning rush while pretending to talk on cell phones. They stayed at least 15 feet from the attendant and simply ignored her as they walked by.
After they were inside the facility, they found a conference room to set up shop. They sat down to plan the rest of the day and decided a facility badge would be a great start. Mr. Winkler called the main information number and asked for the office that makes the badges. He was forwarded to the reception/security desk. He then pretended to be the CIO and told the person on the other end of the line that he wanted badges for a couple of subcontractors. The person responded ‘Send the subcontractors down to the main lobby.’
When Mr. Winkler and his accomplice arrived, a uniformed guard asked what they were working on, and they mentioned computers. The guard then asked them if they needed access to the computer room! Of course they said. Within minutes, they both had badges with access to all office areas and the computer operations center. They went to the basement and used their badges to open the main computer room door. They walked right in and were able to access a Windows server, load the user administration tool, add a new user to the domain, and make the user a member of the administrators’ group. Then they quickly left.
The two men had access to the entire corporate network with administrative rights within two hours. They also used the badges to perform after-hours walkthroughs of the building. In doing this, they found the key to the CEO’s office and planted a mock bug there.”

From that example you can see exactly how detrimental social engineering can be to a company. Within hours they had full administrative rights to the company’s network. This was actually quicker than it would take most hackers to access such a network. Note that most social engineers are outsiders of the company, as it is harder for insiders of a company to act as somebody else. Most social engineers are very detailed when it comes to their work, and research their target weeks in advance, obtaining references, background checks, etc of the company.

Another example is one that I have personally done. Note that this was all done with the full permission from the owner of the company. I called a local video store posing as the manager from another store of the same chain a few miles away. As an initial step for research, I visited both locations and noted the employees currently on duty. I even asked the manager of the target store what time he was on duty. Without hesitation of any kind, he told me. I then called the store from a public telephone with a private number.

“Hi this is Evan from the ********** in Lawnside. I have a Ryan Wetenhall here with an account at your store that has a movie showing up as overdue. He says he returned the movie last Tuesday around 10 p.m. at your location but it’s still showing up as overdue in our system. His account number is ********.”

Without any question, he replied “sorry about that, I’m sure it’s here somewhere… I’ll take it off the system right now, should be showing up clear in about 5 minutes.”

When I first tried this test I had no previous social engineering experience, and was amazed at the stupidity of the store manager. I then called the owner of the target location. The manager was fired the next morning.

Effective social engineers can obtain user or administrative passwords, security badges, keys, financial reports, physical property, employee information, and even customer lists and sales projections. If any of this is leaked out, it can lead to financial losses and create legal issues where information was to remain confidential by law..

The problem with preventing social engineering is that there are so many loopholes to cover up. The basic steps to social engineering are:
1. Perform research: this includes history of the company, employee names, dumpster diving (picking classified information out of a dumpster. All companies should have paper shredders to discard such information).
2. Build trust: talking to employees at the companies, acting like you know people you don’t.
3. Exploit relationship for information through words, actions, or technology
4. Use the information gathered for malicious purposes.

Now that you know what steps social engineers take, its time to learn how to prevent such people from gaining access to such fragile information. Some basic steps include: Classifying data, hiring employees and contractors and setting up user IDs, Terminating employees and contractors and removing their IDs, changing passwords regularly, escorting guests, and performing social engineering tests on your own business through security consulting firms.

The most important step to help prevent social engineering attacks is user awareness. Hold regular meetings in which such issues are taken in to consideration. Train users on detecting suspicious activity. Keep workers up to date with security information.

Other social-engineering prevention tips include:
• Escort all guests within a building
• Never send or open files from strangers
• Never give out passwords
• Never let a stranger connection to one of your network jacks for even a second. Network analyzers take virtually no time to plant.
• Classify all information, both hardcopy and electronic; train all employees on using such methods.
• NEVER allow anonymous access to File Transfer Protocol’s if you don’t have to.

As you can see from all of this information, social-engineering is a big problem in the business world, as people are trusting by nature. A good social engineer can obtain all the information he or she needs without even touching his or her computer. If you follow the prevention tips I have listed above, you should have a basic understand of how to prevent such situations, and just how detrimental having an insecure and untrained staff can be.

An interesting write-up, though you might want to double-check the "*"ing out of the company you are talking about in your own experiment, you mention them directly in a sentence.

\"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
Phillip Toshio Sudo, Zen Computer
Have faith, but lock your door.

Re: Social Engineering Paper

A first pass :

What is Social Engineering? Why is it important? How can I protect myself against possible attacks? If you are a network administrator, or manager of any type of business, you should be asking yourself these exact questions.

I don't know what the assignment is, but everybody should be worried about social engineering, not just managers, etc.

In this paper these issues will all be explained. After reading this paper you should grasp a basic understand of how social engineering can be devastating in the business world. Note that this information is intended for ethical use and prevention of such attacks. This information is not intended for malicious use of any kind.

Not really a necessary paragraph in my opinion. The paper will make these things clear.

Social Engineers take advantage of the weakest link in any organization’s information-security defenses: the employees. Social Engineering is the art of manipulating the trusting nature of human beings to be used for personal gain. Let’s face it; it is human nature to want to be trusting of people. Unfortunately, some people like to benefit from others’ weaknesses. This is where social engineering comes into play.

I get the feeling you are trying to stretch a bit for word count. The last sentence is redundant -- you have already made the connection.

Many administrators and users are paranoid when it comes to get virtually manipulated online such as clicking ad links and opening suspicious emails; but too many are still skeptics when it comes to physical security.

Physical security is only a part of social engineering -- using the telephone (as you do in the example below) is not a matter of physical security.

it is harder for insiders of a company to act as somebody else.

Depends on the size of the company. Someone inside has the advantages of knowing how things work in detail, assumed trust, and a certain level of legit access.

Most social engineers are very advanced.

Based on what ?

When I first tried this test I had no previous social engineering experience, and was amazed at the stupidity of the store manager.

Exactly.

create legal issues.

Vague. What legal issues ?

The problem with social engineering is that there are so many loopholes to cover up. The basic steps to social engineering are:

From the perspective of the social engineer, which you address here, these are advantages, not problems.

Now that you know what steps social engineers take, its time to learn how to prevent such people from gaining access to such fragile information. Some basic steps include: Classifying data, hiring employees and contractors and setting up user IDs, Terminating employees and contractors and removing their IDs, changing passwords regularly, escorting guests, and performing social engineering tests on your own business through security consulting firms.

Much of this paragraph is repeated in the list below.

• Never let a stranger connection to one of your network jacks for even a second. Network analyzers take virtually no time to plant.
NEVER allow anonymous access to File Transfer Protocol’s if you don’t have to. Many underground hacking teams scan for anonymous access of FTPs. Once in, they create invisible folders and upload illegal downloaded copies or ‘warez’ of music, programs, and movies.

These are very specific examples and seem out of place in the rest of the list.

You have covered most of the bases for a short paper, I think, but the presentation is a bit jumbled. Straighten it out, work on the flow, and it will be much improved.